SlideShare a Scribd company logo

Elastic Security under the hood

Elasticsearch
Elasticsearch

Elastic Security, powered by one of the biggest engineering groups inside Elastic today, is operationalizing the speed, scale, and relevance of the Elastic Stack for security use cases. Get an inside look into how Elastic Security works under the hood so you can learn how to make the most of the Elastic Stack for security. We’ll cover the main technical decisions for the detection engine, our endpoint protection, Fleet, data ingestion, and more.

Technology
1 of 19
Download to read offline
1 Elastic Security Under the hood Tudor Golubenco Tech lead, Security
2 This presentation and the accompanying oral presentation contain forward-looking statements, including statements concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future operations and expected performance. These forward-looking statements are subject to the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently available information regarding these matters may not materialize. Actual outcomes and results may differ materially from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business and our customers and partners; our ability to continue to deliver and improve our offerings and successfully develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings; our ability to realize value from investments in the business, including R&D investments; our ability to maintain and expand our user and customer base; our international expansion strategy; our ability to successfully execute our go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer retention and expansion; and general market, political, economic and business conditions. Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s website at ir.elastic.co and the SEC’s website at www.sec.gov. Any features or functions of services or products referenced in this presentation, or in any presentations, press releases or public statements, which are not currently available or not currently available as a general availability release, may not be delivered on time or at all. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Customers who purchase our products and services should make the purchase decisions based upon services and product features and functions that are currently available. All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not currently intend to, update any forward-looking statements or statements relating to features or functions of services or products, except as required by law. Forward-Looking Statements
10,000 foot view As simple as it gets Agent KibanaElasticsearch
10,000 foot view As simple as it gets Collect and normalize data from hundreds of integrations Detections Alerts Threat hunting Threat intel Storage Indexing Data life-cycle Agent KibanaElasticsearch
Agent Scaling out Every component is horizontally scalable Agent KibanaAgent Elasticsearch
Scaling to multiple clusters Use different clusters for different use-cases or tenants Elasticsearch Kibana Elasticsearch Kibana Elasticsearch Kibana Cross-ClusterSearch Using Elastic @ Elastic: InfoSec and Elastic Security
7 Zoom and enhance: Ingest
Metricbeat Zoom and Enhance: Ingest One Agent! One Click! Agent Filebeat Auditbeat Endpoint Download Service
Elasticsearch Zoom and Enhance: Ingest Data normalization with ECS Data normalized as ECS Agent The importance of normalizing your security data • Elastic Common Schema (ECS https://github.com/elastic/ecs • Open source event schema • Common host, user, source, destination, etc, fields across all our data sources
Elasticsearch Kibana Agent Zoom and Enhance: Fleet Configuration management for Agents enroll config + API token Data append only mapping templates One agent, one click, and the future of data ingest with Elastic
ElasticsearchAgent Kibana Zoom and Enhance: Fleet Configuration management for Agents download package Package contents: ● dashboards ● mappings ● detection rules ● Agent config Elastic Package Registry
12 Zoom and enhance: Detections
Zoom and Enhance: Detections Detection engine rule types Advanced correlations for threat detection and more
Zoom and Enhance: Detections Alerts (a.k.a Signals) Detection rule ● wake up every 5m ● run a search ● for each match .siem-signals-<space-id>-0001 space-id makes Alerts be space specific for multi-tenancy Rotated by ILM alert id rule original create alert alert id rule original alert id rule original alert id rule original
Zoom and Enhance: Detections Query rule configuration time 0 5 10 15 rule executions interval loopback time • query time = interval + loopback time • Deduplication removes duplicates • Using event.ingested makes this less prone to delayed ingestion
alert id rule original alert id rule original alert id rule original alert id rule original Zoom and Enhance: Detections Alerts can reference 1, multiple, or zero events .siem-signals-<space-id>-0001 filebeat-* event 1 event 2 event 3 event 4 event 5 event 6
Elasticsearch Zoom and Enhance: Detections Distributed tasks with the Alerting framework Kibana Kibana Kibana List of tasks to execute poll for tasks poll for tasks poll for tasks Any Kibana instance can execute the task. Kibana Kibana Kibana
Zoom and Enhance: Detections Machine Learning Rules Machine Learning Job ● Runs on the Elasticsearch side ● Continuously look for anomalies in time series Detection rule ● wake up every 5m ● check for anomalies ● create Alert for every anomaly Machine learning and the Elastic Stack: Everywhere you need it alert id alert id alert id alert id
19 Mark Shaw Security Lead at ASB Bank, NZ

Recommended

SIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeSIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeElasticsearch
 
Managing the Elastic Stack at Scale
Managing the Elastic Stack at ScaleManaging the Elastic Stack at Scale
Managing the Elastic Stack at ScaleElasticsearch
 
Elastic Security keynote
Elastic Security keynoteElastic Security keynote
Elastic Security keynoteElasticsearch
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElasticsearch
 
Faster business decisions and collaboration with Elastic Workplace Search
Faster business decisions and collaboration with Elastic Workplace SearchFaster business decisions and collaboration with Elastic Workplace Search
Faster business decisions and collaboration with Elastic Workplace SearchElasticsearch
 
Using Elastic @ Elastic: InfoSec and Elastic Security
Using Elastic @ Elastic: InfoSec and Elastic SecurityUsing Elastic @ Elastic: InfoSec and Elastic Security
Using Elastic @ Elastic: InfoSec and Elastic SecurityElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 

Recommended

SIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeSIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeElasticsearch
 
Managing the Elastic Stack at Scale
Managing the Elastic Stack at ScaleManaging the Elastic Stack at Scale
Managing the Elastic Stack at ScaleElasticsearch
 
Elastic Security keynote
Elastic Security keynoteElastic Security keynote
Elastic Security keynoteElasticsearch
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElasticsearch
 
Faster business decisions and collaboration with Elastic Workplace Search
Faster business decisions and collaboration with Elastic Workplace SearchFaster business decisions and collaboration with Elastic Workplace Search
Faster business decisions and collaboration with Elastic Workplace SearchElasticsearch
 
Using Elastic @ Elastic: InfoSec and Elastic Security
Using Elastic @ Elastic: InfoSec and Elastic SecurityUsing Elastic @ Elastic: InfoSec and Elastic Security
Using Elastic @ Elastic: InfoSec and Elastic SecurityElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 
Modernizing deployment in any environment with Elastic
Modernizing deployment in any environment with ElasticModernizing deployment in any environment with Elastic
Modernizing deployment in any environment with ElasticElasticsearch
 
Securing the Elastic Stack for free
Securing the Elastic Stack for freeSecuring the Elastic Stack for free
Securing the Elastic Stack for freeElasticsearch
 
Operationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelinesOperationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelinesElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 
How South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsHow South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsElasticsearch
 
Opening keynote | Americas
Opening keynote | AmericasOpening keynote | Americas
Opening keynote | AmericasElasticsearch
 
Machine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need itMachine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need itElasticsearch
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataElasticsearch
 
Using a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective securityUsing a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective securityElasticsearch
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSThe importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSElasticsearch
 
Get involved with the security community at Elastic
Get involved with the security community at ElasticGet involved with the security community at Elastic
Get involved with the security community at ElasticElasticsearch
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixElasticsearch
 
From secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic CloudFrom secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic CloudElasticsearch
 
Monitoring modern applications using Elastic
Monitoring modern applications using ElasticMonitoring modern applications using Elastic
Monitoring modern applications using ElasticElasticsearch
 
Advanced correlations for threat detection and more
Advanced correlations for threat detection and moreAdvanced correlations for threat detection and more
Advanced correlations for threat detection and moreElasticsearch
 
Saving money with Elastic
Saving money with ElasticSaving money with Elastic
Saving money with ElasticElasticsearch
 
Hands-on with data visualization in Kibana
Hands-on with data visualization in KibanaHands-on with data visualization in Kibana
Hands-on with data visualization in KibanaElasticsearch
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynoteElasticsearch
 
Elasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutesElasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutesElasticsearch
 
Monitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic ObservabilityMonitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic ObservabilityElasticsearch
 
One agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticOne agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticElasticsearch
 

More Related Content

What's hot

Modernizing deployment in any environment with Elastic
Modernizing deployment in any environment with ElasticModernizing deployment in any environment with Elastic
Modernizing deployment in any environment with ElasticElasticsearch
 
Securing the Elastic Stack for free
Securing the Elastic Stack for freeSecuring the Elastic Stack for free
Securing the Elastic Stack for freeElasticsearch
 
Operationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelinesOperationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelinesElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesElasticsearch
 
How South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsHow South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsElasticsearch
 
Opening keynote | Americas
Opening keynote | AmericasOpening keynote | Americas
Opening keynote | AmericasElasticsearch
 
Machine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need itMachine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need itElasticsearch
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataElasticsearch
 
Using a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective securityUsing a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective securityElasticsearch
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSThe importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSElasticsearch
 
Get involved with the security community at Elastic
Get involved with the security community at ElasticGet involved with the security community at Elastic
Get involved with the security community at ElasticElasticsearch
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixElasticsearch
 
From secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic CloudFrom secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic CloudElasticsearch
 
Monitoring modern applications using Elastic
Monitoring modern applications using ElasticMonitoring modern applications using Elastic
Monitoring modern applications using ElasticElasticsearch
 
Advanced correlations for threat detection and more
Advanced correlations for threat detection and moreAdvanced correlations for threat detection and more
Advanced correlations for threat detection and moreElasticsearch
 
Saving money with Elastic
Saving money with ElasticSaving money with Elastic
Saving money with ElasticElasticsearch
 
Hands-on with data visualization in Kibana
Hands-on with data visualization in KibanaHands-on with data visualization in Kibana
Hands-on with data visualization in KibanaElasticsearch
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynoteElasticsearch
 
Elasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutesElasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutesElasticsearch
 

What's hot (20)

Modernizing deployment in any environment with Elastic
Modernizing deployment in any environment with ElasticModernizing deployment in any environment with Elastic
Modernizing deployment in any environment with Elastic
 
Securing the Elastic Stack for free
Securing the Elastic Stack for freeSecuring the Elastic Stack for free
Securing the Elastic Stack for free
 
Operationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelinesOperationalise with alerting, custom dashboards, and timelines
Operationalise with alerting, custom dashboards, and timelines
 
What's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releasesWhat's new at Elastic: Update on major initiatives and releases
What's new at Elastic: Update on major initiatives and releases
 
How South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threatsHow South Dakota's BIT defends against cyber threats
How South Dakota's BIT defends against cyber threats
 
Opening keynote | Americas
Opening keynote | AmericasOpening keynote | Americas
Opening keynote | Americas
 
Machine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need itMachine learning and the Elastic Stack: Everywhere you need it
Machine learning and the Elastic Stack: Everywhere you need it
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location data
 
Using a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective securityUsing a risk based approach to provide cost-effective security
Using a risk based approach to provide cost-effective security
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSThe importance of normalizing your security data to ECS
The importance of normalizing your security data to ECS
 
Get involved with the security community at Elastic
Get involved with the security community at ElasticGet involved with the security community at Elastic
Get involved with the security community at Elastic
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square Enix
 
From secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic CloudFrom secure VPC links to SSO with Elastic Cloud
From secure VPC links to SSO with Elastic Cloud
 
Monitoring modern applications using Elastic
Monitoring modern applications using ElasticMonitoring modern applications using Elastic
Monitoring modern applications using Elastic
 
Advanced correlations for threat detection and more
Advanced correlations for threat detection and moreAdvanced correlations for threat detection and more
Advanced correlations for threat detection and more
 
Saving money with Elastic
Saving money with ElasticSaving money with Elastic
Saving money with Elastic
 
Hands-on with data visualization in Kibana
Hands-on with data visualization in KibanaHands-on with data visualization in Kibana
Hands-on with data visualization in Kibana
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynote
 
Elasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutesElasticsearch: From development to production in 15 minutes
Elasticsearch: From development to production in 15 minutes
 

Similar to Elastic Security under the hood

Monitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic ObservabilityMonitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic ObservabilityElasticsearch
 
One agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticOne agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticElasticsearch
 
Migrating to Elasticsearch Service on Elastic Cloud
Migrating to Elasticsearch Service on Elastic CloudMigrating to Elasticsearch Service on Elastic Cloud
Migrating to Elasticsearch Service on Elastic CloudElasticsearch
 
A new framework for alerts and actions in Kibana
A new framework for alerts and actions in KibanaA new framework for alerts and actions in Kibana
A new framework for alerts and actions in KibanaElasticsearch
 
Autoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyAutoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyElasticsearch
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynoteElasticsearch
 
Better together: How the Elastic solutions work in tandem
Better together: How the Elastic solutions work in tandemBetter together: How the Elastic solutions work in tandem
Better together: How the Elastic solutions work in tandemElasticsearch
 
Cybersecurity: Intelligence, innovation, and information warfare
Cybersecurity: Intelligence, innovation, and information warfareCybersecurity: Intelligence, innovation, and information warfare
Cybersecurity: Intelligence, innovation, and information warfareElasticsearch
 
Creating stellar customer support experiences using search
Creating stellar customer support experiences using searchCreating stellar customer support experiences using search
Creating stellar customer support experiences using searchElasticsearch
 
Using Elastic @ Elastic: Fast-tracking support search
Using Elastic @ Elastic: Fast-tracking support searchUsing Elastic @ Elastic: Fast-tracking support search
Using Elastic @ Elastic: Fast-tracking support searchElasticsearch
 
Streamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureStreamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureElasticsearch
 
Streamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureStreamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureElasticsearch
 
Searching anything, anywhere with Workplace Search
Searching anything, anywhere with Workplace SearchSearching anything, anywhere with Workplace Search
Searching anything, anywhere with Workplace SearchElasticsearch
 
Automating the Elastic Stack
Automating the Elastic StackAutomating the Elastic Stack
Automating the Elastic StackElasticsearch
 
Elastic Stack keynote
Elastic Stack keynoteElastic Stack keynote
Elastic Stack keynoteElasticsearch
 
How CACI and Elastic support the Department of Defense
How CACI and Elastic support the Department of DefenseHow CACI and Elastic support the Department of Defense
How CACI and Elastic support the Department of DefenseElasticsearch
 
Shaping insight into results with Elastic App Search
Shaping insight into results with Elastic App SearchShaping insight into results with Elastic App Search
Shaping insight into results with Elastic App SearchElasticsearch
 
Opening keynote | EMEA
Opening keynote | EMEAOpening keynote | EMEA
Opening keynote | EMEAElasticsearch
 
Opening keynote | Asia Pacific
Opening keynote | Asia PacificOpening keynote | Asia Pacific
Opening keynote | Asia PacificElasticsearch
 
Elastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElasticsearch
 

Similar to Elastic Security under the hood (20)

Monitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic ObservabilityMonitor multi-cloud deployments with Elastic Observability
Monitor multi-cloud deployments with Elastic Observability
 
One agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticOne agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with Elastic
 
Migrating to Elasticsearch Service on Elastic Cloud
Migrating to Elasticsearch Service on Elastic CloudMigrating to Elasticsearch Service on Elastic Cloud
Migrating to Elasticsearch Service on Elastic Cloud
 
A new framework for alerts and actions in Kibana
A new framework for alerts and actions in KibanaA new framework for alerts and actions in Kibana
A new framework for alerts and actions in Kibana
 
Autoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyAutoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlessly
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
 
Better together: How the Elastic solutions work in tandem
Better together: How the Elastic solutions work in tandemBetter together: How the Elastic solutions work in tandem
Better together: How the Elastic solutions work in tandem
 
Cybersecurity: Intelligence, innovation, and information warfare
Cybersecurity: Intelligence, innovation, and information warfareCybersecurity: Intelligence, innovation, and information warfare
Cybersecurity: Intelligence, innovation, and information warfare
 
Creating stellar customer support experiences using search
Creating stellar customer support experiences using searchCreating stellar customer support experiences using search
Creating stellar customer support experiences using search
 
Using Elastic @ Elastic: Fast-tracking support search
Using Elastic @ Elastic: Fast-tracking support searchUsing Elastic @ Elastic: Fast-tracking support search
Using Elastic @ Elastic: Fast-tracking support search
 
Streamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureStreamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft Azure
 
Streamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft AzureStreamline search with Elasticsearch Service on Microsoft Azure
Streamline search with Elasticsearch Service on Microsoft Azure
 
Searching anything, anywhere with Workplace Search
Searching anything, anywhere with Workplace SearchSearching anything, anywhere with Workplace Search
Searching anything, anywhere with Workplace Search
 
Automating the Elastic Stack
Automating the Elastic StackAutomating the Elastic Stack
Automating the Elastic Stack
 
Elastic Stack keynote
Elastic Stack keynoteElastic Stack keynote
Elastic Stack keynote
 
How CACI and Elastic support the Department of Defense
How CACI and Elastic support the Department of DefenseHow CACI and Elastic support the Department of Defense
How CACI and Elastic support the Department of Defense
 
Shaping insight into results with Elastic App Search
Shaping insight into results with Elastic App SearchShaping insight into results with Elastic App Search
Shaping insight into results with Elastic App Search
 
Opening keynote | EMEA
Opening keynote | EMEAOpening keynote | EMEA
Opening keynote | EMEA
 
Opening keynote | Asia Pacific
Opening keynote | Asia PacificOpening keynote | Asia Pacific
Opening keynote | Asia Pacific
 
Elastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factory
 

More from Elasticsearch

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxElasticsearch
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using ElasticElasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webElasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudElasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesElasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxElasticsearch
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of findElasticsearch
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiencesElasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchElasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesElasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesElasticsearch
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insightsElasticsearch
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentElasticsearch
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public goodElasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticElasticsearch
 

More from Elasticsearch (20)

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Elastic Security under the hood

  • 1. 1 Elastic Security Under the hood Tudor Golubenco Tech lead, Security
  • 2. 2 This presentation and the accompanying oral presentation contain forward-looking statements, including statements concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future operations and expected performance. These forward-looking statements are subject to the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently available information regarding these matters may not materialize. Actual outcomes and results may differ materially from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business and our customers and partners; our ability to continue to deliver and improve our offerings and successfully develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings; our ability to realize value from investments in the business, including R&D investments; our ability to maintain and expand our user and customer base; our international expansion strategy; our ability to successfully execute our go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer retention and expansion; and general market, political, economic and business conditions. Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s website at ir.elastic.co and the SEC’s website at www.sec.gov. Any features or functions of services or products referenced in this presentation, or in any presentations, press releases or public statements, which are not currently available or not currently available as a general availability release, may not be delivered on time or at all. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Customers who purchase our products and services should make the purchase decisions based upon services and product features and functions that are currently available. All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not currently intend to, update any forward-looking statements or statements relating to features or functions of services or products, except as required by law. Forward-Looking Statements
  • 3. 10,000 foot view As simple as it gets Agent KibanaElasticsearch
  • 4. 10,000 foot view As simple as it gets Collect and normalize data from hundreds of integrations Detections Alerts Threat hunting Threat intel Storage Indexing Data life-cycle Agent KibanaElasticsearch
  • 5. Agent Scaling out Every component is horizontally scalable Agent KibanaAgent Elasticsearch
  • 6. Scaling to multiple clusters Use different clusters for different use-cases or tenants Elasticsearch Kibana Elasticsearch Kibana Elasticsearch Kibana Cross-ClusterSearch Using Elastic @ Elastic: InfoSec and Elastic Security
  • 8. Metricbeat Zoom and Enhance: Ingest One Agent! One Click! Agent Filebeat Auditbeat Endpoint Download Service
  • 9. Elasticsearch Zoom and Enhance: Ingest Data normalization with ECS Data normalized as ECS Agent The importance of normalizing your security data • Elastic Common Schema (ECS https://github.com/elastic/ecs • Open source event schema • Common host, user, source, destination, etc, fields across all our data sources
  • 10. Elasticsearch Kibana Agent Zoom and Enhance: Fleet Configuration management for Agents enroll config + API token Data append only mapping templates One agent, one click, and the future of data ingest with Elastic
  • 11. ElasticsearchAgent Kibana Zoom and Enhance: Fleet Configuration management for Agents download package Package contents: ● dashboards ● mappings ● detection rules ● Agent config Elastic Package Registry
  • 13. Zoom and Enhance: Detections Detection engine rule types Advanced correlations for threat detection and more
  • 14. Zoom and Enhance: Detections Alerts (a.k.a Signals) Detection rule ● wake up every 5m ● run a search ● for each match .siem-signals-<space-id>-0001 space-id makes Alerts be space specific for multi-tenancy Rotated by ILM alert id rule original create alert alert id rule original alert id rule original alert id rule original
  • 15. Zoom and Enhance: Detections Query rule configuration time 0 5 10 15 rule executions interval loopback time • query time = interval + loopback time • Deduplication removes duplicates • Using event.ingested makes this less prone to delayed ingestion
  • 16. alert id rule original alert id rule original alert id rule original alert id rule original Zoom and Enhance: Detections Alerts can reference 1, multiple, or zero events .siem-signals-<space-id>-0001 filebeat-* event 1 event 2 event 3 event 4 event 5 event 6
  • 17. Elasticsearch Zoom and Enhance: Detections Distributed tasks with the Alerting framework Kibana Kibana Kibana List of tasks to execute poll for tasks poll for tasks poll for tasks Any Kibana instance can execute the task. Kibana Kibana Kibana
  • 18. Zoom and Enhance: Detections Machine Learning Rules Machine Learning Job ● Runs on the Elasticsearch side ● Continuously look for anomalies in time series Detection rule ● wake up every 5m ● check for anomalies ● create Alert for every anomaly Machine learning and the Elastic Stack: Everywhere you need it alert id alert id alert id alert id
  • 19. 19 Mark Shaw Security Lead at ASB Bank, NZ